Spartanburg Breach Affects 400,000…But They’re Not Telling
According to the Office for Civil Rights (OCR) webpage listing breaches of PHI over 500, a theft affecting an originally unreleased number of patients turned out to have impacted approximately 4,000 patients…times 100. You’d never guess from the short Press Release available on the Spartanburg Regional Healthcare System website, or, it appears, from any other information released by Spartanburg itself (See HealthDataManagement), but approximately 400,000 patients were affected by the theft of a Spartanburg computer from an employee’s car on March 28, 2011. Although certainly not the largest number of affected patients for a given breach incident (See on the ONC website, for example, AvMed in 2009 with 1,220,000 affected patients, the North Bronx Healthcare Network with 1,700,000 last year, as well as Health Net with 1,900,000 for a breach this past January), the number places Spartanburg squarely within some of the largest breaches of patient information in the past few years.
Notice to thousands of patients of the theft began in late May of 2011. According to the Press Release, the employee was authorized to have possession of the computer which was stolen. It stated Spartanburg had no reason to believe any information had been misused as the file containing patient Social Security Numbers, names, addresses and dates of birth had been password protected. However, it notified affected individuals that Spartanburg had made available, free of cost, identity theft consultation and restoration as well as ongoing credit monitoring.
Surprisingly, the Press Release is devoid of any information regarding how many patients had been or could have been affected and it does not appear that Spartanburg has acknowledged the high count other than in its required notice to HHS of the breach. Although initially the full extent of the breach may not have been known to Spartanburg when it first discovered the breach and began to notify patients, the fact that it has still not acknowledged publicly the substantial number of patients affected is perplexing.
While the HITECH Act does not require that patient notification include how many individuals have been affected by a given breach incident nor does it require the release of any sensitive information regarding the incident, downplaying (or at least avoidance of) the magnitude of the breach certainly wouldn’t seem to me to be the top choice among PR options. Given that notice to HHS is required for all breaches affecting over 500 individuals and such information is made available on OCR’s website, the information was destined to come out eventually.